Australian daily deals website Catch of the Day misled customers who were potential victims of a data breach in 2011 in stating that it reported the breach to the Australian Federal Police at the time of the attack.
On Friday evening, Catch of the Day quietly notified customers to change their password, revealing that it had been the victim of a data breach in May 2011, where credit card details, email addresses, delivery addresses, hashed passwords, and other customer information had been obtained.
The company, which owns the Catch of the Day, Scoopon, EatNow, GroceryRun, and Mumgo websites, said it worked with banks and the Australian Federal Police to cancel cards, but it appears that customers were not informed of the source of the issue at the time.
Catch Group said it was informing the public three years later because "technological advances" meant that it may be now possible for the hashed passwords to be compromised.
The company, in its statement to customers and to the media, claimed that it had informed the AFP at the time of the attack.
"Catch of the Day acted swiftly at the time to shut down the attack and reported it to the Australian Federal Police, banks and credit card companies, who took action to protect consumers, such as cancelling affected cards."
But in a statement provided to ZDNet today, the AFP denied hearing from the company at the time.
"AFP records do not show that any complaint was received in 2011 from the 'Catch of the Day' website," the spokesperson said.
The AFP is the second organisation to come forward and confirm it was not informed about the breach at the time. Privacy Commissioner Timothy Pilgrim confirmed that his office was only informed about the breach last month.
Catch of the Day was not obligated to notify the Privacy Commissioner about the breach, but companies routinely inform the commissioner when a breach occurs.
The former Labor government attempted to bring about mandatory data breach notification laws before the September election, and has again tried to bring them on in opposition in the new parliament, but so far the legislation has yet to reach a final vote.
A spokesperson for Catch of the Day said the company stands by its claim.
"We stand by our notification. Police were involved."
The company continues to have customers request to cancel their accounts through Twitter and Facebook, and Catch Group has still yet to explain why it waited three years to inform customers of the breach in the first place.
In response to one customer asking why it failed to inform the public about it, the company said on Twitter that the statements provided "are all we are able to say on the matter."
"We're sorry if this upsets you."
The date of the data breach incident aligns with the announcement in May 2011 that Catch of the Day had secured an AU$80 million investment from a consortium of investors including James Packer's Consolidated Press Holdings, and Seek co-founder Andrew Bassat.